In Part 1, Part 2 and Part 3 of our series on the General Scheme to the Data Protection Bill 2017 (General Scheme), we examined how the General Scheme proposes to legislate in respect of the General Data Protection Regulation (GDPR) alongside implementing the provisions of the Law Enforcement Directive into Irish law. Under the proposed rules, the Office of the Data Protection Commissioner would be restructured as a Data Protection Commission with the Circuit Court being used to confirm fines potentially up to €20 million or 4% of a business's annual global turnover.
As part of the pre-legislative stage, the Committee on Justice and Equality (the Committee) heard expert evidence and sought submissions from a range of stakeholders on the current draft of the General Scheme. At the end of November 2017 the Committee released its report and addressed the following issues:
- Structure of Irish Data Protection Law: As the General Scheme proposes to repeal the Data Protection Acts 1988 and 2003 (DP Acts), a concern was expressed to the Committee by the Data Protection Commissioner that there were parts of the DP Acts which should be retained. Dr Denis Kelleher agreed with the Commissioner and, in addition to expressing concern around the feasibility of timing of a complete repeal of the DP Acts given GDPR's May 2018 deadline, said that a total repeal could also result in a piecemeal approach to data protection law in Ireland. Additionally Dr TJ McIntyre (representing Digital Rights Ireland) stated that while he felt the DP Acts should be repealed in their entirety, he recommended that the Law Enforcement Directive be instead transposed in a separate piece of legislation to prevent confusion. Although the Committee acknowledged that it would be "desirable in the interest of clarity that any provisions of the Data Protection Acts" that "need to be retained in national law" are "repealed and re-enacted" in separate and standalone legislation, nevertheless it recommended that the DP acts be repealed in full.
- Children's Rights: Special Rapporteur on Child Protection Dr Geoffrey Shannon focused on providing evidence on the digital age of consent and other data protection issues related to children. Previously in July 2017 the Cabinet had agreed that the digital age of consent should be set at 13 years of age. While the Committee acknowledged that other experts had recommended setting the age of consent closer to 16, it agreed with the Cabinet's decision while noting that there "was merit in reviewing the digital age of consent" as part of the "post-enactment scrutiny of the Bill". The Committee further acknowledged that opportunity should be given to allow for children to express their views, the legal definition of 'child' should be set at 13 and that a policy framework should be implemented around digital safety and the processing of sensitive child data.
- Sanctions & Compensation: Head 23 of the General Scheme proposes that administrative fines may only be imposed on public bodies for data breaches arising from its activity as an "undertaking." This would arise when a public body is providing goods or services alongside a private body such as a public and private hospital. In its report, the Committee noted that the Commissioner stated that the proposed exemption is "a serious matter of concern" and therefore concluded that "fines be administered to public bodies in breach of the new data protection legislation where appropriate, in order to encourage compliance with the new legislation." As Article 82 of the GDPR provides compensation for material or non-material damage due to an infringement of data protection rights, the Committee concluded that there was merit to addressing this more explicitly. Similarly, it recommended that a more explicit provision should be included to address the extent to which individuals may mandate a not-for-profit body to seek compensation on their behalf.
The final report has been sent to the Minister for Justice and Equality for consideration and the General Scheme is expected to be scrutinised further during the coming legislative agenda. While there is still scope for changes before the Law's enactment, considering the implementation date of the GDPR is now less than six months away, time is limited for any major alterations or additions.
This is the fourth article in a series on the General Scheme for the Data Protection Bill 2017.